update apparmor profiles

parent a4589645
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon /usr/libexec/accounts-daemon
profile accounts-daemon @{exec_path} {
#include <abstractions/base>
#include <abstractions/wutmp>
#include <abstractions/nameservice-strict>
# Needed?
deny capability sys_nice,
@{exec_path} mr,
owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw,
/usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
/etc/shells r,
/etc/shadow r,
/var/log/wtmp r,
#include if exists <local/accounts-daemon>
}
......@@ -46,9 +46,6 @@ profile adequate @{exec_path} flags=(complain) {
/usr/share/**/__pycache__/ r,
/usr/**/*.py r,
# file_inherit
/dev/tty[0-9]* rw,
profile ldd flags=(complain) {
#include <abstractions/base>
......
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}bin/amixer
profile amixer @{exec_path} flags=(complain) {
profile amixer @{exec_path} {
#include <abstractions/base>
#include <abstractions/audio>
......
......@@ -47,7 +47,6 @@ profile appstreamcli @{exec_path} flags=(complain) {
/var/lib/apt/lists/*_Components-*.gz r,
# file_inherit
/dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
......
......@@ -44,6 +44,7 @@ profile apt @{exec_path} flags=(complain) {
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
......
......@@ -23,8 +23,5 @@ profile apt-config @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
/dev/tty[0-9]* rw,
#include if exists <local/apt-config>
}
......@@ -44,6 +44,7 @@ profile apt-get @{exec_path} flags=(complain) {
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
......
......@@ -50,9 +50,6 @@ profile apt-key @{exec_path} flags=(complain) {
owner /tmp/apt-key-gpghome.*/{,**} rw,
# file_inherit
/dev/tty[0-9]* rw,
profile gpg flags=(complain) {
#include <abstractions/base>
......
......@@ -50,8 +50,5 @@ profile apt-listbugs @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
# file_inherit
/dev/tty[0-9]* rw,
#include if exists <local/apt-listbugs>
}
......@@ -68,9 +68,6 @@ profile apt-listchanges @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
# file_inherit
/dev/tty[0-9]* rw,
profile sensible-pager {
#include <abstractions/base>
......@@ -88,9 +85,6 @@ profile apt-listchanges @{exec_path} {
owner /tmp/apt-listchanges-tmp*.txt r,
# file_inherit
/dev/tty[0-9]* rw,
}
#include if exists <local/apt-listchanges>
......
......@@ -23,7 +23,7 @@ profile apt-methods-cdrom @{exec_path} flags=(complain) {
@{exec_path} mr,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
#include if exists <local/apt-methods-cdrom>
}
......@@ -38,7 +38,7 @@ profile apt-methods-copy @{exec_path} flags=(complain) {
owner /var/lib/apt/lists/{partial/,}*_{In,}Release{,.*} rw,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
#include if exists <local/apt-methods-copy>
......
......@@ -38,7 +38,7 @@ profile apt-methods-file @{exec_path} flags=(complain) {
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
#include if exists <local/apt-methods-file>
......
......@@ -23,7 +23,7 @@ profile apt-methods-ftp @{exec_path} flags=(complain) {
@{exec_path} mr,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
#include if exists <local/apt-methods-ftp>
}
......@@ -72,7 +72,7 @@ profile apt-methods-gpgv @{exec_path} flags=(complain) {
/ r,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
#include if exists <local/apt-methods-gpgv>
......
......@@ -54,7 +54,7 @@ profile apt-methods-http @{exec_path} flags=(complain) {
@{PROC}/@{pid}/cgroup r,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
#include if exists <local/apt-methods-http>
......
......@@ -23,7 +23,7 @@ profile apt-methods-mirror @{exec_path} flags=(complain) {
@{exec_path} mr,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
#include if exists <local/apt-methods-mirror>
}
......@@ -39,7 +39,7 @@ profile apt-methods-rred @{exec_path} flags=(complain) {
/var/lib/apt/lists/partial/* rw,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
#include if exists <local/apt-methods-rred>
......
......@@ -23,7 +23,7 @@ profile apt-methods-rsh @{exec_path} flags=(complain) {
@{exec_path} mr,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
#include if exists <local/apt-methods-rsh>
}
......@@ -43,7 +43,7 @@ profile apt-methods-store @{exec_path} flags=(complain) {
owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
#include if exists <local/apt-methods-store>
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-show-versions
profile apt-show-versions @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
#include <abstractions/apt-common>
#include <abstractions/apt-pkgcache>
@{exec_path} r,
/{usr/,}bin/perl r,
/usr/bin/dpkg rPx -> child-dpkg,
owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
owner /var/cache/apt-show-versions/files rw,
owner /tmp/clearsigned.message.* rw,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dpkg/status r,
/var/lib/apt/extended_states r,
/var/cache/apt/pkgcache.bin r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
#include if exists <local/apt-show-versions>
}
......@@ -46,6 +46,7 @@ profile aptitude @{exec_path} flags=(complain) {
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
......@@ -123,8 +124,8 @@ profile aptitude @{exec_path} flags=(complain) {
/dev/tty[0-9]* rw,
# file_inherit
/var/log/cron-apt/temp w,
/dev/pts/[0-9]* rw,
/var/log/cron-apt/temp w,
profile sensible-pager flags=(complain) {
......
......@@ -31,7 +31,7 @@ profile at-spi-bus-launcher @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
/var/log/lightdm/seat[0-9]*-greeter.log w,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/check-support-status
profile check-support-status @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
@{exec_path} rix,
/{usr/,}bin/dash r,
/etc/debian_version r,
/{usr/,}bin/gettext.sh r,
/{usr/,}bin/cat rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/egrep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/date rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/fold rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/awk rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/find rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/head rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/envsubst rix,
/{usr/,}bin/dpkg-query rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/tmp/ r,
owner /tmp/debian-security-support.*/{,**} rw,
/tmp/debian-security-support.postinst.*/output w,
/var/lib/debian-security-support/security-support.semaphore r,
/usr/share/debian-security-support/* r,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/check-support-status>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /usr/share/debian-security-support/check-support-status.hook
profile check-support-status-hook @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/getent rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/chown rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}sbin/runuser rPUx,
/{usr/,}sbin/adduser rPx,
/{usr/,}bin/check-support-status rPx,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/usr/share/debconf/confmodule r,
owner /tmp/debian-security-support.postinst.*/ rw,
owner /tmp/debian-security-support.postinst.*/output w,
# file_inherit
/dev/pts/[0-9]* rw,
profile frontend flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/dash rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
# The following is needed when debconf uses GUI frontends.
#include <abstractions/gtk>
#include <abstractions/fonts>
#include <abstractions/fontconfig-cache-read>
#include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rPx,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
}
#include if exists <local/check-support-status-hook>
}
......@@ -34,7 +34,6 @@ profile child-dpkg {
/var/lib/dpkg/** r,
# file_inherit
/dev/tty[0-9]* rw,
/tmp/#[0-9]*[0-9] rw,
#include if exists <local/child-dpkg>
......
......@@ -30,8 +30,6 @@ profile chromium-chromium @{exec_path} {
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
capability sys_nice,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
......
......@@ -24,7 +24,7 @@ profile compton @{exec_path} {
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -134,7 +134,7 @@ profile conky @{exec_path} {
/usr/share/X11/XErrorDB r,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......@@ -157,7 +157,7 @@ profile conky @{exec_path} {
/usr/share/publicsuffix/public_suffix_list.* r,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
}
......@@ -188,7 +188,8 @@ profile conky @{exec_path} {
deny @{PROC}/@{pids}/cmdline r,
deny @{PROC}/@{pids}/io r,
deny @{sys}/devices/**/hwmon/**/temp*_input r,
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
}
profile lynx {
......@@ -209,7 +210,7 @@ profile conky @{exec_path} {
owner @{HOME}/.conky/** rw,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
}
......@@ -235,7 +236,7 @@ profile conky @{exec_path} {
/etc/ssl/openssl.cnf r,
# file_inherit
/dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
}
......
......@@ -81,7 +81,8 @@ profile cron @{exec_path} {
/etc/cron.hourly/ r,
/etc/cron.daily/ r,
/etc/cron.daily/apt-listbugs rPUx,
/etc/cron.daily/apt-listbugs rPx,
/etc/cron.daily/apt-show-versions rPx,
/etc/cron.daily/bsdmainutils rPUx,
/etc/cron.daily/debtags rPUx,
/etc/cron.daily/exim4-base rPUx,
......@@ -89,9 +90,8 @@ profile cron @{exec_path} {
/etc/cron.daily/mlocate rPx,
/etc/cron.daily/dlocate rPx,
/etc/cron.daily/passwd rPUx,
/etc/cron.daily/polipo rPUx,
/etc/cron.daily/apt-compat rPUx,
/etc/cron.daily/aptitude rPUx,
/etc/cron.daily/aptitude rPx,
/etc/cron.daily/debsums rPx,
/etc/cron.daily/dpkg rPUx,
/etc/cron.daily/man-db rPUx,
......@@ -99,21 +99,20 @@ profile cron @{exec_path} {
/etc/cron.daily/sysstat rPx,
/etc/cron.daily/spamassassin rPUx,
/etc/cron.daily/opera-browser rPUx,
/etc/cron.daily/google-chrome{,-beta,-unstable} rPUx,
/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx,
/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx,
/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx,
#/etc/cron.daily/opera-browser rPUx,
#/etc/cron.daily/google-chrome{,-beta,-unstable} rPUx,
#/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx,
#/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx,
#/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx,
/etc/cron.monthly/ r,
/etc/cron.monthly/debsums rPx,
/etc/cron.monthly/vrms rPUx,
/etc/cron.weekly/ r,
/etc/cron.weekly/apt-xapian-index rPUx,
/etc/cron.weekly/apt-xapian-index rPx,
/etc/cron.weekly/debsums rPx,
/etc/cron.weekly/man-db rPUx,
/etc/cron.weekly/polipo rPUx,
/etc/cron.weekly/tor rPUx,
# file_inherit
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /etc/cron.daily/apt-listbugs
profile cron-apt-listbugs @{exec_path} {
#include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
/{var/,}run/systemd/system r,
profile prefclean {
#include <abstractions/base>
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
/{usr/,}bin/dash r,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/var/spool/apt-listbugs/lastprefclean rw,
}
#include if exists <local/cron-apt-listbugs>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /etc/cron.daily/apt-show-versions
profile cron-apt-show-versions @{exec_path} {
#include <abstractions/base>
@{exec_path} r,